Latest Security Alerts & Monthly Newsletter
Find recent phishing and scam attempts targeting the Colorado State University community. View examples of actual malicious emails to stay informed and protect yourself. For more in-depth cybersecurity insights, check out our monthly newsletter authored by our cybersecurity interns.
-
QR CODES: Is Convenience Worth the Risk?
In today’s world, convenience is what drives most of our technological advancements. We are constantly pursuing new ways to make human life easier. A prime example of this comes in the form of QR Codes.
-
Phishing Attempts Target CSU accounts through Duo
Beware of text messages claiming your Microsoft account is being terminated. The Division of IT will never request your information via text message.
-
Cryptography: Encryption and Hashing
In our increasingly interconnected world, safeguarding our data is first. Cryptography is the secret art of communicating privately in a public environment.
-
How to Spot a Phishing Attempt
Phishing emails and activity are on the rise at CSU. See the image below for a breakdown of an actual phishing email and how to spot it.
Tips and Tricks to Stay Cybersecure
Check out the resources below from university teams as well as trusted partners and experts in security, Microsoft and the National Cybersecurity Alliance.
-
How to report a suspicious email
Watch: How to Report an Outlook email (15 sec.) or follow the steps below:
- Right-click on the email to open up the options menu.
- Navigate to the ‘Report’ option.
- Select the ‘Report Phishing’ option.
Uncertain if an email is malicious? Contact the Cybersecurity Team to report an incident and stay informed about current cybersecurity alerts by visiting the Cybersecurity webpage.
-
Stay safe when emailing and texting
- Don’t rush to respond: Avoid hastily responding to official-sounding emails that urge immediate action. Phishing attacks often create a false sense of urgency, pressuring recipients to click links or share confidential information.
- Verify links and attachments: Refrain from clicking, opening, or downloading links or attachments in emails or texts unless you trust the sender. Confirm the legitimacy of the sender before taking any action.
- Validate government or official sources: If an email appears to be from a government agency or financial institution, avoid clicking provided links. Instead, conduct an internet search to find the official website and use the contact information listed there.
- Avoid sharing sensitive information: Never include confidential details, such as social security numbers or passwords, in emails or texts, even if prompted. Requests for such information are clear indicators of phishing attempts.
- Be aware of Duo push notifications: Pay attention to two-factor authentication requests and avoid automatically approving requests if not logging in.
-
Recognize phishing attempts
- Impersonation of trusted organizations: Phishing scams often involve attackers posing as representatives of trusted organizations and soliciting information.
- Financial risks: Phishing can lead to significant financial damage if personal information is surrendered to attackers. Remember that CSU will NEVER request passwords, Social Security numbers, or other sensitive information via email.
- Appearance and content: Some phishing attempts may contain errors, but sophisticated ones may appear trustworthy. Be cautious of emails asking to open files, click links, or enter information into forms.
- Beware of NetID requests: Exercise caution with emails requesting NetID information, including your username and password.
- Job scams: Students seeking employment should be aware of potential job scams.
- Take steps to verify: If an email seems suspicious, contact the sender directly rather than clicking on links. Clicking on a phishing email, even to check its legitimacy, can lead to system infections.
-
Monitor your personal information
Credit Reports: Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Consumers may also directly contact the three major credit reporting bureaus listed below to request a free copy of their credit report.
Think you’ve been phished? Place a “fraud alert” on a credit file: An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If consumers are the victim of identity theft, they are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Fraud alters are at no cost to you. To request a fraud alert, please contact any of the three major credit reporting bureaus listed below.
- Equifax
- https://www.equifax.com/personal/credit-report-services/
- 1-888-298-0045
- Equifax Fraud Alert, P.O. Box 105069 Atlanta, GA 30348-5069
- Equifax Credit Freeze, P.O. Box 105788 Atlanta, GA 30348-5788
- Experian
- https://www.experian.com/help/
- 1-888-397-3742
- Experian Fraud Alert, P.O. Box 9554, Allen, TX 75013
- Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013
- TransUnion
- https://www.transunion.com/credit-help
- 1-800-916-8800
- TransUnion Fraud Alert, P.O. Box 2000, Chester, PA 19016
- TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094
Place a “credit freeze” on a credit report: This will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in a consumer’s name without consent. However, consumers should be aware that using a credit freeze to take control over who gets access to the personal and financial information in their credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application they make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. By law, consumers cannot be charged to place or lift a credit freeze on their credit report. To request a credit freeze, individuals may need to provide some or all of the following information:
- Full name (including middle initial as well as Jr., Sr., II, III, etc.);
- Social Security number;
- Date of birth;
- Addresses for the prior two to five years;
- Proof of current address, such as a current utility bill or telephone bill;
- A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
- A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if they are a victim of identity theft.
- Equifax
-
Password Dos and Don’ts
Do:
- Use a combination of words, symbols, and numbers to create your passwords.
- Create passwords with at least 15 characters. The more characters the more difficult it is to break. Ex. a 6 character password takes 6 seconds to break.
- Use modified phrases to improve password strength. Modify the password with numbers and symbols. Ex. StarGateReady could be modified as StarG8R3ady4499@.
- Change your password regularly. It’s a simple practice that will keep you secure.
Don’t:
- Don’t use public information like your birthday, family or pet name, street address, season, year, etc. to create your password.
- Don’t use keyboard patterns like QWERTY or 123456. These are common and broken in less than 6 seconds. Don’t re-use passwords. Once the password is compromised, the attacker can get into ANY other account using that email and password combination.
- Don’t give your passwords to anyone else or display them. The IT help desk, the IRS, and your bank will NEVER ask you for your password.
-
Password Manager Tips
A password manager provides a more secure way to manage your passwords. With password managers, you can automatically identify weak and duplicate passwords, and enhance their security. Additionally, password managers can assist you in managing your password updating schedule. It’s worth noting that CSU does not endorse any particular password manager. The main takeaway is the importance of safeguarding your passwords at all times.
There are two types of password managers:
- Freestanding: These managers are labeled as freestanding because they do not communicate with other devices. They are managed on one device but files can be transferred to different devices. Examples are Password Safe, pwSafe, Keepass.
- Cloud-based: Cloud-based managers are accessed through an app that uses a master password to access your password vault, the place where all your passwords are stored. You can sync your generated password instantly across devices. Examples are LastPass, Dashlane, and 1Password. Using a cloud-based manager doesn’t come without risk. Passwords are stored on the cloud company’s servers so you don’t own or control your password database file. Cloud storage is expensive, therefore it’s rare to find unlimited and free services.
Best Practices for Password Managers
- Always enable Multi-Factor or 2-Factor authentication, for example, CSU uses Duo Multi-Factor Authentication.
- When using a cloud-based manager, NEVER select “Remember My Password” if the browser window offers. If your browser is compromised, there’s a good chance your password manager will be too.
- Cloud-based managers are convenient and easy but you should never link these managers to accounts that deal with financial data, for example, credit card or banking information.